[Cdrecord-support] Cdrtools-2.01.01a72 ready

[Joe Feise]

Joerg Schilling wrote on 01/14/10 01:16:

> "Joe Feise" <jfeise at feise.com> wrote:
> 
>> On Mon, January 11, 2010 03:47, Joerg Schilling wrote:
>>> NEW features of cdrtools-2.01.01a72:
>> With BerliOS having been compromised (see
>> http://www.heise.de/newsticker/meldung/Open-Source-Projektboerse-BerliOS-faellt-Angriff-zum-Opfer-902800.html
>> or
>> http://www.h-online.com/open/news/item/BerliOS-open-source-project-portal-falls-victim-to-attack-903990.html)
>> and no MD5 hashes for recent versions of cdrtools in
>> ftp://ftp.berlios.de/pub/cdrecord/alpha/!MD5_SUMS, it may be prudent to be
>> rather careful with new versions of cdrtools.
> 
> Please note: heise.de is a website that is primarily interested in a high 
> click rate on ads and as a result the reports are not always correct but
> rather intended to create interest....


I know several people at heise.de personally, and I do know that your assertion
is wrong.
Further, you yourself post there...

> We checked our servers and there was no manipulation on download files or
> other important files.


With all due respect, I prefer to verify myself if what I download matches MD5
and/or GPG signatures. Trust but verify...

> Even GPG signatures do not help. I know of at least one tar archive on 
> ftp.gnu.org that has an apparently matching GPG signature but the content
> of the tar archive differs from the original.


While that may be the case, that has nothing to do with BerliOS or cdrtools.
It is nothing more but a Red Herring.

> I know that I can still trust BerliOS.

Good for you. You have not given *me* any assurance that *I* can trust the
server, though.
More openness would be appreciated.
An example how such things *should* be handled is how the Apache Infrastructure
Team handled a compromise of their servers last year:
https://blogs.apache.org/infra/entry/apache_org_downtime_initial_report

-Joe